IETF Logo Mail Archive

Re: [jose] Should we delete the "typ" header field

Nat Sakimura <sakimura@gmail.com> Thu, 06 June 2013 01:03 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64C1121F944C for <jose@ietfa.amsl.com>; Wed, 5 Jun 2013 18:03:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.296
X-Spam-Level: ***
X-Spam-Status: No, score=3.296 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6, NO_RELAYS=-0.001, TRACKER_ID=2.696]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sDG7vNgGwAcb for <jose@ietfa.amsl.com>; Wed, 5 Jun 2013 18:03:57 -0700 (PDT)
Received: from mail-qa0-x22a.google.com (mail-qa0-x22a.google.com [IPv6:2607:f8b0:400d:c00::22a]) by ietfa.amsl.com (Postfix) with ESMTP id DF38B21F9425 for <jose@ietf.org>; Wed, 5 Jun 2013 18:03:56 -0700 (PDT)
Received: by mail-qa0-f42.google.com with SMTP id hu16so101976qab.8 for <jose@ietf.org>; Wed, 05 Jun 2013 18:03:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=XiGpHmur8t4ddeQr7KNqKR6p8uezUIL9+gqRwwDD7WI=; b=qZDckMxQkHErHZYPSsEJ6WhmkxF7EDtT391YzDu+x8wayaXGt0l71X0ut1cGd5olx6 w3Sd1te05gABQ/s26soBFKPdDa+UidHlR3q4NB9KgRSi2pEwuwvjy21+2Px4rGIRe7il EI7rFLHg6bFQjGfdsKrghIruYuZB2UXEiFabenjZ08RH1H3aKLN1IAt/mxRjwwg4h1tN LE4mytldgRu2E5/Yx1ntjQzG2cClViZcJqi2b3yeWByIvnI7sG7QEVLxkEecQyq8QYp9 mXi+dFKW8UykIS53FgRtryRMJUug9plChgbG1MMt10fTsl87ip+31EVMWoKCMPOsHcPf IcHw==
MIME-Version: 1.0
X-Received: by 10.49.101.74 with SMTP id fe10mr6127853qeb.11.1370480636245; Wed, 05 Jun 2013 18:03:56 -0700 (PDT)
Received: by 10.49.95.230 with HTTP; Wed, 5 Jun 2013 18:03:56 -0700 (PDT)
In-Reply-To: <CAD9ie-s1uWSsRDJHb8Z_NPQvuAWWJmYPkTp8g_PbacA5gaqT1w@mail.gmail.com>
References: <02b701ce5cb8$46ae77e0$d40b67a0$@augustcellars.com> <CAD9ie-vK3gY9b9GQrbUa=TACy5KVA1uPH_u_utucoKzVynjuiA@mail.gmail.com> <02f501ce5cc5$ec9a2200$c5ce6600$@augustcellars.com> <CAD9ie-uV-THE0+oL-dNUB0qXF7sx8jHMZDCz8vGESmUHWV=LMg@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C58C4@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAD9ie-sm7q6gdzC-aTKt=+b=A8wB68ExTP1FwiT=zQTN7b69zA@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C5C0A@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAL02cgR=Lh5_HogPtgoFM+qhwNkqOFaW0+TzOCAziUwK8ZqQaw@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C7399@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAL02cgR6XfSwHxOLym_pkM+9EOE8yRUEncLToKbrLVJxoOgxDg@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C9B69@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAL02cgTrpkt0PyvLmnSKTchST5hgbzjkLQMq3hr6O2pij7LgjQ@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943677C9E95@TK5EX14MBXC285.redmond.corp.microsoft.com> <CABzCy2Cd6LJB63b8REsyW0yjS=2DMBaSwsL-ZUnwG-aCXJ5P-Q@mail.gmail.com> <CA+k3eCT6Dq2jo6Lx6SEMkNDrLKREJTkzwNxT7ggJHDJtvQVG2A@mail.gmail.com> <CAL02cgSeurHAEsAtEaEDYAko2Or8dFAOx8QWe-G2e4nss_AX4g@mail.gmail.com> <CABzCy2DtkqzSSC9Xgy7Gkf0_cxuV7Zn5Jux+NRPiF1LO6PtObw@mail.gmail.com> <CAL02cgTLpoYuh3iMrYtOKrYR82GqWQyzCnEZh6d0Li8Wxgn8bA@mail.gmail.com> <CABzCy2DpkF=LD13jZb5B6-4fFxZO37Aj9vh8HRBupRxNd6Mpfg@mail.gmail.com> <CAD9ie-s1uWSsRDJHb8Z_NPQvuAWWJmYPkTp8g_PbacA5gaqT1w@mail.gmail.com>
Date: Thu, 06 Jun 2013 10:03:56 +0900
Message-ID: <CABzCy2Abnv=Cm=nSN2t4b+B=G-rBrza6nrK+VPxqWUcTFpZEYw@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Content-Type: multipart/alternative; boundary="001a11c2c6ce7f04f204de71e38e"
Cc: Richard Barnes <rlb@ipv.sx>, Mike Jones <Michael.Jones@microsoft.com>, Brian Campbell <bcampbell@pingidentity.com>, Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Should we delete the "typ" header field
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jun 2013 01:03:59 -0000

It is giving the meaning to the signature - metadata about the signature,
so I thought header would be more appropriate, besides, the payload is
binary and I can avoid double base64 encoding that way.


2013/6/6 Dick Hardt <dick.hardt@gmail.com>

> Why would you need that in the header? Why not in the payload?
>
>
> On Wed, Jun 5, 2013 at 5:31 PM, Nat Sakimura <sakimura@gmail.com> wrote:
>
>> What I was thinking as an example was to have 'datetime' as a public
>> header parameter to be used generally, and then differentiate between two
>> cases of 'agreement' and 'timestamp'. It is the same signing operation over
>> the original (e.g., a MS word document), but from an application point of
>> view, it is a bit different. Former constitute an agreement while the later
>> does not. The type=timestamp just signifies that the original document
>> existed at the time indicated.
>>
>>
>> 2013/6/5 Richard Barnes <rlb@ipv.sx>
>>
>>> I'm not sure I understand the use case here.  Let me look at a couple of
>>> options, and hopefully one of them will be what you meant :)
>>>
>>> If it's just a signed timestamp you're talking about, then that's
>>> adequately described by cty="timestamp", typ="JWS".
>>>
>>> If you want to sign something and add a timestamp in the header, then
>>> typ="timestamp" isn't accurate according to the current specification.  The
>>> type of the whole object would have to be something like
>>> "timestamped-content".  And in that case, an application can easily
>>> recognized that it's timestamped content by looking for the timestamp field
>>> in the header, so the "typ" isn't really helpful.
>>>
>>>
>>> Moving from the example to the general question:
>>>
>>> I think we finally have some common understanding on this list as to
>>> what Mike means by "typ" in the current document -- a label for the
>>> application-layer type of the overall object.  Thanks to Mike for
>>> clarifying that in this discussion.
>>>
>>> The question is whether this is a sufficiently useful thing to have in
>>> the core spec.  Obviously, applications have to know what type of object
>>> they're dealing with when they get a JOSE object.  That includes (1) what
>>> type of content is in the payload, and (2) what application-layer fields
>>> are required to be in the header.  (1) is covered by "cty".  So "typ" is
>>> only useful in the case where:
>>> A. The application is storing application-layer data in the JOSE header
>>> B. The required application-layer fields can be different for different
>>> objects
>>> C. The required application-layer fields can be different for different
>>> objects of the same content type
>>> D. The required application-layer fields are not indicated by other
>>> application-layer context
>>>
>>> Are there any known applications that meet these criteria?  JWT does
>>> not, for several reasons.
>>> 1. (!A) JWT does not store application-layer data in the JOSE header,
>>> only in the claims in the body
>>> 2. (!C) A JWT object can indicate with "cty" that it contains JWT claims
>>> or another JWT, either of which makes it obvious that this is a JWT
>>> 3. (!D) In the OAuth context, the Token Type value indicates what type
>>> of token is being presented, e.g., JWT
>>>
>>> So there's not really any known use case for "typ" as currently
>>> specified.  On the other hand, Dick and James have pointed out that it can
>>> be useful to have "typ" indicate whether the object at hand is a JWE or
>>> JWS.  Which brings us back to:
>>> -- Change the definition of "typ" so that it indicates the JOSE-layer
>>> type (JWE/JWS)
>>> -- Remove "typ" altogether
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Wed, Jun 5, 2013 at 8:53 AM, Nat Sakimura <sakimura@gmail.com> wrote:
>>>
>>>> What about such as this?
>>>>
>>>> cty: original
>>>> typ: timestamp
>>>>
>>>>
>>>> 2013/6/5 Richard Barnes <rlb@ipv.sx>
>>>>
>>>>> It would be a good point, if it were true :)  In particular, this
>>>>> part: "[dropping 'typ'] is going to cause each and every application
>>>>> that uses JOSE to define their own field"
>>>>>
>>>>> So far, I've heard of exactly one application of JOSE that requires
>>>>> "typ" in the way it is currently specified, namely JWT.
>>>>>
>>>>> On the other hand, Dick's applications are apparently using it
>>>>> differently (and, IMO, properly) to distinguish JWE/JWS.  Then there are
>>>>> all the applications out there that are OK using application context and
>>>>> "cty" to recognize what type of object they have.  Apps using CMS have been
>>>>> doing this for ages.
>>>>>
>>>>> So it's not at all clear to me that there's any other application that
>>>>> would use "typ" besides JWT.  And it's not clear to me that JWT needs it.
>>>>>
>>>>> --Richard
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Fri, May 31, 2013 at 5:45 PM, Brian Campbell <
>>>>> bcampbell@pingidentity.com> wrote:
>>>>>
>>>>>> Nat makes a good point here, I think.
>>>>>>
>>>>>>
>>>>>> On Thu, May 30, 2013 at 9:31 AM, Nat Sakimura <sakimura@gmail.com>wrote:
>>>>>>
>>>>>>> From what I understand, both typ and cty are something to be
>>>>>>> consumed by the application and not JOSE processor. From the point of view
>>>>>>> of the JOSE processor, they should be ignored.
>>>>>>>
>>>>>>> We could drop both fields from JOSE specs, but that is going to
>>>>>>> cause each and every application that uses JOSE to define their own field,
>>>>>>> which is a waste. That is why we are defining them here.
>>>>>>>
>>>>>>> I would rather drop them than define JOSE processing semantics to
>>>>>>> these fields.
>>>>>>>
>>>>>>>
>>>>>>> 2013/5/31 Mike Jones <Michael.Jones@microsoft.com>
>>>>>>>
>>>>>>>>  No, “cty” is used by the derived class to determine the type of
>>>>>>>> the encapsulated field.  But that’s not a complete description of the *
>>>>>>>> *entire object** - especially not the additional meaning imbued by
>>>>>>>> the additional parameters the derived type may add to the JOSE header.
>>>>>>>> “typ” is there to provide the type of the entire object, including what
>>>>>>>> you’re calling the wrapper parts.****
>>>>>>>>
>>>>>>>> ** **
>>>>>>>>
>>>>>>>>                                                             -- Mike
>>>>>>>> ****
>>>>>>>>
>>>>>>>> ** **
>>>>>>>>
>>>>>>>> *From:* Richard Barnes [mailto:rlb@ipv.sx]
>>>>>>>> *Sent:* Thursday, May 30, 2013 7:58 AM
>>>>>>>>
>>>>>>>> *To:* Mike Jones
>>>>>>>> *Cc:* Jim Schaad; jose@ietf.org; Dick Hardt
>>>>>>>> *Subject:* Re: [jose] Should we delete the "typ" header field****
>>>>>>>>
>>>>>>>> ** **
>>>>>>>>
>>>>>>>> Isn't that requirement met by "cty"?  The only thing JOSE adds is a
>>>>>>>> crypto wrapper around the real application content.  If you're an
>>>>>>>> application, you know a JOSE object is the thing you want because it
>>>>>>>> contains the content you want -- it's a JWT because it contains JWT claims.
>>>>>>>> ****
>>>>>>>>
>>>>>>>> ** **
>>>>>>>>
>>>>>>>> Inheritance is the wrong metaphor.  This is encapsulation of
>>>>>>>> application data:****
>>>>>>>>
>>>>>>>> if (jws.valid && jws.cty == "application/jwt_claims") {****
>>>>>>>>
>>>>>>>>     jwtClaims = jws.content;****
>>>>>>>>
>>>>>>>> }****
>>>>>>>>
>>>>>>>> ** **
>>>>>>>>
>>>>>>>> --Richard****
>>>>>>>>
>>>>>>>> ** **
>>>>>>>>
>>>>>>>> On Thu, May 30, 2013 at 10:43 AM, Mike Jones <
>>>>>>>> Michael.Jones@microsoft.com> wrote:****
>>>>>>>>
>>>>>>>> Thanks for sharing the S/MIME details.  Although I was actually
>>>>>>>> making the analogy to MIME – not S/MIME.  Like many analogies, it’s
>>>>>>>> imperfect, but I believe still illustrative.****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> The reason that the analogy isn’t perfect is that the JOSE data
>>>>>>>> structures are used to build application-specific data structures that are
>>>>>>>> legal JOSE data structures but also have additional properties – including
>>>>>>>> additional header fields with specific semantics.  (When we agreed to
>>>>>>>> ignore not-understood header fields we let that horse out of the barn.)
>>>>>>>> For instance, Dick Hardt uses JWEs with issuer and audience fields in the
>>>>>>>> headers, so they can be used by routing software.****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> Think of JOSE as the base class and the application types built
>>>>>>>> using it as derived classes.  JWT is a derived class.  Dick’s structures
>>>>>>>> are a derived class.  These derived classes sometimes need names.  That’s
>>>>>>>> what “typ” is for.****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>>                                                             -- Mike
>>>>>>>> ****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> *From:* Richard Barnes [mailto:rlb@ipv.sx]
>>>>>>>> *Sent:* Thursday, May 30, 2013 7:34 AM****
>>>>>>>>
>>>>>>>>
>>>>>>>> *To:* Mike Jones
>>>>>>>> *Cc:* Jim Schaad; jose@ietf.org; Dick Hardt
>>>>>>>> *Subject:* Re: [jose] Should we delete the "typ" header field****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> You're mixing up "typ" and "cty".  If you want to make the analogy
>>>>>>>> to S/MIME, "cty" is the equivalent to Content-Type inside the protected
>>>>>>>> MIME body; "typ" is the content-type on the outer MIME header.  Pasting in
>>>>>>>> an example:****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> -----BEGIN-----****
>>>>>>>>
>>>>>>>> Content-Type: application/pkcs7-mime; smime-type=signed-data;****
>>>>>>>>
>>>>>>>>      name=smime.p7m****
>>>>>>>>
>>>>>>>> Content-Transfer-Encoding: base64****
>>>>>>>>
>>>>>>>> Content-Disposition: attachment; filename=smime.p7m****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> 567GhIGfHfYT6ghyHhHUujpfyF4f8HHGTrfvhJhjH776tbB9HG4VQbnj7****
>>>>>>>>
>>>>>>>> 77n8HHGT9HG4VQpfyF467GhIGfHfYT6rfvbnj756tbBghyHhHUujhJhjH****
>>>>>>>>
>>>>>>>> HUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9H7n8HHGghyHh****
>>>>>>>>
>>>>>>>> 6YT64V0GhIGfHfQbnj75****
>>>>>>>>
>>>>>>>> -----END-----****
>>>>>>>>
>>>>>>>> <http://tools.ietf.org/html/rfc3851#section-3.4.2>****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> The outer Content-Type, which is analogous to "typ", MUST be
>>>>>>>> application/pkcs7-mime, with a parameter indicating the type of CMS object.
>>>>>>>>  This is the same as requiring "typ" to be JWE or JWS.  The inner
>>>>>>>> Content-Type (ASN.1/base64 encoded in the example) can be anything, just
>>>>>>>> like "cty".****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> --Richard****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> On Thu, May 30, 2013 at 12:53 AM, Mike Jones <
>>>>>>>> Michael.Jones@microsoft.com> wrote:****
>>>>>>>>
>>>>>>>> Requiring that the “typ” value be only “JWS” or “JWE” would be
>>>>>>>> analogous to the MIME spec requiring that the Content-Type: field be only
>>>>>>>> “text/plain” or “message/external-body”.  It would render it useless.
>>>>>>>> ****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>>                                                             -- Mike
>>>>>>>> ****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> *From:* jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] *On
>>>>>>>> Behalf Of *Richard Barnes
>>>>>>>> *Sent:* Wednesday, May 29, 2013 8:03 PM
>>>>>>>> *To:* Mike Jones
>>>>>>>> *Cc:* Jim Schaad; jose@ietf.org; Dick Hardt****
>>>>>>>>
>>>>>>>>
>>>>>>>> *Subject:* Re: [jose] Should we delete the "typ" header field****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> If this is the level of "type" you're referring to, I think we
>>>>>>>> should drop it from the spec.  It's an application-layer thing that the app
>>>>>>>> can add or not according to its wishes.****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> I'm with Dick on this.  I think we should either have a mandatory
>>>>>>>> indicator of what type of JOSE object this, or nothing at all.   If the
>>>>>>>> former, the allowable values are "JWE" and "JWS".  The "+JSON" options are
>>>>>>>> non-sensical -- the app needs to know what it's parsing before it gets this
>>>>>>>> header.  While I have a preference for the former (for clarity), the latter
>>>>>>>> approach is also OK with me, since the MIME types are specific to JWE/JWS.
>>>>>>>> ****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> Another approach here would be to address the JSON and compact
>>>>>>>> forms separately.  The JSON form has no need of "typ" at all, since the
>>>>>>>> type of the object is completely clear from what fields are there, e.g.,
>>>>>>>> "recipients" vs. "signatures".  For the compact form, we could do something
>>>>>>>> like James's "E."/"S." prefix idea, which you need because the
>>>>>>>> dot-separated components have different meanings and no field names to
>>>>>>>> indicate this.****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> --Richard****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> On Wed, May 29, 2013 at 8:30 PM, Mike Jones <
>>>>>>>> Michael.Jones@microsoft.com> wrote:****
>>>>>>>>
>>>>>>>> A standard library is unlikely to know the meanings of all possible
>>>>>>>> “typ” values – and more to the point, *it doesn’t have to*.  It’s
>>>>>>>> the application’s job to determine that “this blob is a JOSE object” and
>>>>>>>> then pass it to a standard library, which will then ignore the “typ” value.
>>>>>>>> ****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> A standard JOSE library won’t know what “typ”: “JWT” means.  It
>>>>>>>> won’t know what “typ”: “BCGovToken” is, should the BC Government want to
>>>>>>>> declare that it’s using a token with particular characteristics.  It won’t
>>>>>>>> know what “typ”: “XMPP” is, should XMPP want to declare that it’s using a
>>>>>>>> JOSE data structure with particular characteristics.  Etc.****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> All these values can be registered in the registry and used by
>>>>>>>> applications that understand them.  That’s the application’s job – not the
>>>>>>>> library’s job.  The “typ” field is just there so that applications have a
>>>>>>>> standard place to make any such declarations that they may need.***
>>>>>>>> *
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>>                                                                 --
>>>>>>>> Mike****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> *From:* Dick Hardt [mailto:dick.hardt@gmail.com]
>>>>>>>> *Sent:* Wednesday, May 29, 2013 5:18 PM
>>>>>>>> *To:* Mike Jones
>>>>>>>> *Cc:* Jim Schaad; jose@ietf.org****
>>>>>>>>
>>>>>>>>
>>>>>>>> *Subject:* Re: [jose] Should we delete the "typ" header field****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> I'd prefer to be able to use standard libraries for creating and
>>>>>>>> parsing tokens, and not specialized libraries dependent on the use case.
>>>>>>>> ****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> I strongly think we either drop "typ" or make it required.****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> On Wed, May 29, 2013 at 5:03 PM, Mike Jones <
>>>>>>>> Michael.Jones@microsoft.com> wrote:****
>>>>>>>>
>>>>>>>> It’s fine for your application to specify that it’s required for
>>>>>>>> your use case.  Not applications need it, so they shouldn’t be forced to
>>>>>>>> pay the space penalty of an unnecessary field.****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>>                                                                 --
>>>>>>>> Mike****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> *From:* jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] *On
>>>>>>>> Behalf Of *Dick Hardt
>>>>>>>> *Sent:* Wednesday, May 29, 2013 4:56 PM****
>>>>>>>>
>>>>>>>>
>>>>>>>> *To:* Jim Schaad
>>>>>>>> *Cc:* jose@ietf.org
>>>>>>>> *Subject:* Re: [jose] Should we delete the "typ" header field****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> I use it all the time and my code would barf if it was not there.**
>>>>>>>> **
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> I think it should be required rather than be a hint if it is going
>>>>>>>> ot be there.****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> On Wed, May 29, 2013 at 4:40 PM, Jim Schaad <ietf@augustcellars.com>
>>>>>>>> wrote:****
>>>>>>>>
>>>>>>>> I think the values just changed****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> However the way you are using it would be an argument to say that
>>>>>>>> it should be a required field.  Are you just using it as a hint if it
>>>>>>>> exists and then looking at the rest of the fields if it is not present?
>>>>>>>> ****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> Jim****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> *From:* Dick Hardt [mailto:dick.hardt@gmail.com]
>>>>>>>> *Sent:* Wednesday, May 29, 2013 3:49 PM
>>>>>>>> *To:* Jim Schaad
>>>>>>>> *Cc:* jose@ietf.org
>>>>>>>> *Subject:* Re: [jose] Should we delete the "typ" header field****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> Well, I have been using, but now realize the spec changed or I was
>>>>>>>> confused.****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> I had been setting "typ" to be either "JWE" or "JWS" depending on
>>>>>>>> the type of token I was creating or parsing as it was easier than looking
>>>>>>>> at "alg"****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> As currently defined, I don't see value in "typ".****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> -- Dick****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> On Wed, May 29, 2013 at 3:02 PM, Jim Schaad <ietf@augustcellars.com>
>>>>>>>> wrote:****
>>>>>>>>
>>>>>>>> In reading the documents, I am trying to understand the
>>>>>>>> justification for having the “typ” header parameter in the JOSE documents.
>>>>>>>> ****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> The purpose of the field is to hold the type of the object.  In the
>>>>>>>> past, I believe that values which should now be placed in the cty field
>>>>>>>> (such as “JWT”) were placed in this field as well.  However the parameter
>>>>>>>> is optional and an implementation cannot rely on its being present.  This
>>>>>>>> means that for all practical purposes all of the code to determine the
>>>>>>>> value of the type field from the values of the alg and enc fields.  If the
>>>>>>>> field was mandatory then this code would disappear at a fairly small space
>>>>>>>> cost and I can understand why the parameter would be present.****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> Can anybody justify why this field should be present in the
>>>>>>>> document – or should it just disappear?****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> Jim****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> jose mailing list
>>>>>>>> jose@ietf.org
>>>>>>>> https://www.ietf.org/mailman/listinfo/jose****
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> --
>>>>>>>> -- Dick ****
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> --
>>>>>>>> -- Dick ****
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> jose mailing list
>>>>>>>> jose@ietf.org
>>>>>>>> https://www.ietf.org/mailman/listinfo/jose****
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> --
>>>>>>>> -- Dick ****
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> jose mailing list
>>>>>>>> jose@ietf.org
>>>>>>>> https://www.ietf.org/mailman/listinfo/jose****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>>  ****
>>>>>>>>
>>>>>>>> ** **
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> jose mailing list
>>>>>>>> jose@ietf.org
>>>>>>>> https://www.ietf.org/mailman/listinfo/jose
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Nat Sakimura (=nat)
>>>>>>> Chairman, OpenID Foundation
>>>>>>> http://nat.sakimura.org/
>>>>>>> @_nat_en
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> jose mailing list
>>>>>>> jose@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/jose
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Nat Sakimura (=nat)
>>>> Chairman, OpenID Foundation
>>>> http://nat.sakimura.org/
>>>> @_nat_en
>>>>
>>>
>>>
>>
>>
>> --
>> Nat Sakimura (=nat)
>> Chairman, OpenID Foundation
>> http://nat.sakimura.org/
>> @_nat_en
>>
>
>
>
> --
> -- Dick
>



-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

v2.23.0 | Report a Bug | By Email